Breach Netscape
Security with Java

We have found another Java security flaw that allows a malicious applet to disable all security controls in Netscape Navigator 4.0x. After disabling the security controls, the applet can do whatever it likes on the victim"s machine, including arbitrarily reading, modifying, or deleting files. We have implemented a demonstration applet that deletes a file.

This flaw, like several previous ones, is in the implementation of the "ClassLoader" mechanism that handles dynamic linking in Java. Despite changes in the ClassLoader implementation in JDK 1.1 and again in JDK 1.2 beta, ClassLoaders are still not safe; a malicous ClassLoader can still override the definition of built-in "system" types like java.lang.Class. Under some circumstances, this can lead to a subversion of Java"s type system and thus a security breach.

The flaw is not directly exploitable unless the attacker can use some other secondary flaw to gain a foothold. Netscape 4.0x has such a secondary flaw (a security manager bug found by Mark LaDue), so we were able to demonstrate how to subvert Netscape"s security controls. We are not aware of any usable secondary flaws in Microsoft"s and Sun"s current Java implementations, so they appear not to be vulnerable to our attack at present.

Please direct any inquiries to Edward Felten at (609) 258-5906 or felten@cs.princeton.edu.